malwarewikiaorg-20200223-history
CoinVault
CoinVault is a ransomware that runs on Microsoft Windows. It is part of the CryptoGraphic family. It was created by brothers Melvin and Dennis van de B., a 21 and a 25-year-old from the city of Amersfoort. The two brothers were arrested after making a fatal coding mistake that allowed Kaspersky Lab experts who were analyzing the ransomware to discover their real-life names. But in the court proceedings, the two brothers revealed that they saw the early version of the Kaspersky blog post, but decided to continue spreading their ransomware regardless. On July 26th, 2018, Dutch judges sentenced the two brothers to 240 hours of community service. Judges also ordered the two to pay restitution to their victims for the ransom payments they collected. Behavior Unlike other recently released crypto-ransomware, this infection does not utilize a decryption site to make payments and download the decrypter, but rather the decryption functionality and payment system are built directly into the malware executable. Payload Transmission CoinVault is distributed via emails with ZIP attachments that contain executables that are disguised as PDF files. These PDF files pretend to be invoices, purchase orders, bills, complaints, or other business communications. When the user double-clicks on the fake PDF, it will infect their computer with the CoinVault infection and install malware files in the %AppData%\Microsoft\Windows\ folder. Infection Once infected, the installer will start to scan their computer's drives for data files including removable drives, network shares, or even DropBox mappings. In summary, if there is a drive letter on your computer CoinVault will scan it for data files and encrypt any that are found. When CoinVault detects a supported data file it will encrypt it and then add the full path to the encrypted file in the %Temp%\CoinVaultFileList.txt file. The infection will also create a file called %AppData%\Microsoft\Windows\filelist.txt that contains a list of all files that CoinVault attempted to encrypt. If it was able to encrypt the file, its file path will append |True to the file path, otherwise if it cannot encrypt the file it will append |False. When CoinVault encrypts the data on the user's computer, it will look for specific files on all of the drive letters on their computer. This means that USB drives, external hard drives, mapped network drives, and even mapped cloud services like DropBox will be scanned and encrypted if they are mapped to a drive letter. When CoinVault is scanning these drives it will only encrypt files that end with one of the following extensions: .odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .dng, .3fr, .arw, .srf, .sr2, .mp3, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .crt, .pem, .pfx, .p12, .p7b, .p7c, .jpg, .png, .jfif, .jpeg, .gif, .bmp, .exif, .txt When the infection has finished scanning the user's computer, it will display the main CoinVault executable screen. This screen will show the user how much it costs to get their files back, the bitcoin address the user should be sending the payment to, a list of files that have been encrypted, and a way to check the user's payment status. CoinVault also allows the user to decrypt one file for free to prove that it can do so. When the user selects the file to decrypt, CoinVault will upload the file to its Command and Control server, decrypt, and then save it back on the user's computer. Finally, CoinVault will change the user's Windows desktop wallpaper to state "Your files have been encrypted!" Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan Category:Assembly Category:Virus Category:Win32 virus